There May Have Been a Breakthrough On the U.S.-EU Privacy Shield Deal
The European Commission claims to have improved its deal with the U.S. over the so-called Privacy Shield agreement, which aims to make it easy for U.S. multinationals to legally process the personal data of EU employees and customers.
Privacy Shield is the successor to the Safe Harbor agreement, which was last year struck down by the European Court of Justice (ECJ), the EU’s highest court. When its details were first released, many regulators pointed out that the Privacy Shield draft did not give enough protection to EU citizens to survive another legal challenge at the ECJ.
Now, according to Commission officials, a revised draft includes “a number of additional clarifications and improvements.”
Get Data Sheet, Fortune’s technology newsletter.
The officials said the Commission had agreed on “additional clarifications” with the U.S. on American mass surveillance powers, the role of the “ombudsperson” who will adjudicate complaints from EU citizens about their data being abused, and the transfer of EU citizens’ data to other companies.
The last point is important, as online services are deeply interconnected these days—a U.S. company could sign up to the Privacy Shield register, promising to stick to its rules about protecting EU citizens’ privacy rights, but then it will often transfer that data to other companies for processing.
Now, according to the Commission officials, those other companies would have to tell the company on the Privacy Shield register when they cannot offer sufficient protection to the EU citizens’ data.
The U.S. Office of the Director of National Intelligence has apparently now spelled out how “bulk collection of data” can only be used under specific preconditions, in a way that is as targeted as possible.
However, it remains to be seen whether this element does satisfy the EU courts, as it is not clear whether this targeting only applies to the use of data that has been collected in bulk, or to the collection itself. The U.S. only tends to see surveillance as something that happens when people look at the collected data, whereas the EU legal system sees the collection as surveillance.
As for the new ombudsperson, the new Privacy Shield draft apparently tightens up the language around the role’s independence. EU regulators have warned that, if the ombudsperson does not have real independence from intelligence agencies, it cannot fulfil EU citizens’ rights by giving them an effective complaint route.
For more on privacy, watch our video:
The Commission gave the new draft to representatives of the EU member states on Thursday night. These representatives (a group known as the Article 31 Working Party) now need to vote on the draft.
“After the vote…the College of Commissioners will be able to adopt the final Privacy Shield early July,” a Commission spokesperson said. The Commission was originally aiming to finalize the deal in June.
U.S. multinationals had better hope the new Privacy Shield deal is watertight. They are fast running out of ways to legally handle EU citizens’ personal data, and privacy activists are certain to challenge the new deal in court if they are not satisfied with its details.